As the 2022 comes to an end, it is noticed that API security has been quite popular among the newer evolving threat landscape. APIs are being implemented everywhere in the modern times enabling different applications to communicate with each other. Moreover APIs help to access data and services effectively. APIs are important now due to the improved efficiency and enhanced user experience they enable including the increased innovation and collaboration they facilitate. Due to the ability to integrate data from multiple sources, APIs have become an essential part of modern software development and are widely used across a range of industries.
Previously in 2021, Gartner had predicted that in 2022 API attacks will become more frequent among all attack vectors that cause data breaches and security compromises in enterprise web applications.
Gartner’s accurate prediction: API security
Gartner for once again, had their predictions proven right.
Optus Data Breach
Optus, a leading Australian telecommunications company went through a massive data breach back in September 2022. FBI had helped them investigate the data breach that seemed to be “easily preventable” in which sensitive information of their nearly 10 million customers was exposed. The threat actor had threatened the company to expose their customer’s sensitive data and demanded for a ransom of $1 million while threatening to expose the data in batches unless the ransom was paid. The hackers did expose the sensitive data of their 10,200 customers in start to prove their claim. The hackers apparently had a change of heart after which they claimed that they had deleted the stolen data from Optus.
Twitter’s API security breach
Back in August 2022, Twitter published a blog post in which they accepted that they went through an API security breached which lead to hackers exposing data of nearly 5.4 million users. The vulnerability that was discovered in their APIs allowed attacker to submit an email address to Twitter’s systems and their system revealed the details of the account that email was linked to.
Not only Gartner but Salt Security reported that over the past 12 months, 95% of the organisations experienced security problems in their production APIs whereas 20% of the organisations experienced a data breach due to the vulnerabilities discovered in their APIs.
The problematic thing with such discoverable vulnerabilities is that if an attacker is able to control an API, it exposes the organisation’s underlying databases that is deployed along with all of the information and data that is contained in it.
RELATED: Penetration Testing as a Service(PTaaS) Over Traditional Penetration Testing
API Common Attacks
While referring to API security, it is all about the measures and prevention techniques to secure APIs in order to protect the data that they transmit. The most common attacks experienced on APIs that we protect against are the injection attacks leading to unauthorised access, Distributed Denial of Service(DDoS), Cross Site Scripting(XSS) attacks and Cross-Site Request Forgery(CSRF) attacks that can allows attackers to perform actions on behalf of the user without letting them know a bit of it.
Protecting APIs against attacks is a bit complicated and much of an art as it involves the technical skills along with organisational skills altogether.
On the technical skills we look at the protecting APIs focussing on it’s authorisation, authentication, encryption and its monitoring. Whereas for the organisational skills, it is important to look at why the API was designed and who exactly was it designed it for. Moreover it is important to note how much of the data is and should be presented to the outside world along with the way it is presented.
How are APIs protected
There are certain procedures that we can follow to protect APIs to some extent but the greatest hurdle throughout the process is the discovery of APIs in order to protect them.
API discovery is essential for the security strategy as we need to know what to secure before our attempts to secure it. It is important to catalog each of the API that is deployed so that the security team can assess its attack surface, assessing if it complies with the organisation’s policies to further reveal where sensitive data is exposed and requires attention.
The API discovery mostly relies on the developers to document them properly along with documenting its parameters properly so that the security team is aware of how the data is retrieved through the APIs and the API changes to the documentation must be maintained. The API documentations are often not updated this frequently to record every change but it must be followed.
Cataloging APIs for its security
As we already discussed the importance of cataloging APIs after finding each one of them, it’s important to discuss how we can catalog each individual API properly. Although it can be observed that the organisations that catalog each of the API is pretty low and are small in number. Due to the rapid development requirements, for developer’s convenience and a constantly increasing pressure towards providing features in the fastest way contributes towards mystery APIs popping out which are unlikely to be cataloged.
The following checklist serves as an example as to how the APIs must be cataloged in order to effectively cover their security aspects.
- Name
- Tools and packages that are used to build this API
- Server that this API runs on
- Services that rely on this API
- Documentation of all the possible valid uses and error codes
- Performance metrics
- Expected uptime or downtime windows
All of this information must be recorded and the cybersecurity team must be given access to it so that they can include APIs with more of the information to assess the organisation’s attack surface.
This provided information must be used by the cybersecurity team to automate the API testing on a scheduled basis so that these APIs are constantly tested and newer strategies can be developed in order to keep everything secure.
It is important to note that the functional tests for APIs are indeed really important. Functional tests serves as a test to realise if the APIs are delivering as expected but non-functional tests are equally important to be checked as well. The APIs can fail in their functionality, but the important thing to note is that the APIs must fail securely if they fail.
Techniques for API Pentesting/Security testing
When APIs are being tested for its secure, for its penetration testing we have listed some of the techniques that can be used in order to assess in the specified order.
- Behavioural Analysis: This refers to testing if the behaviour of the API in reality matches to what has been described in its documentation. The level of access that is said to be granted in the documentation, the ports mentioned that the API uses, the protocols mentioned and the results of the successful and erroneous queries. Additionally noticing what happens to the system as a whole if this API specifically stops functioning.
- Service Levels: This process involves observing the priority of the process on the server, testing the rate limiting on the API, testing latency settings for the API for both minimum and maximum requests, and the availability windows for the API. Most of these checks at this point are useful to assess API’s readiness against DDoS attacks whereas the other checks monitors the slow memory leaks for the API that in the longer run could have threatened server’s integrity.
- Authentication issues: This process refers to testing the level of access that is granted to its API users. As with any other application or service, the queries need to be sanitised and validated before they are accepted. This level specifically tests API’s readiness against injection attacks, buffer overflows and other relevant attacks.
When designing an API there needs to be a certain level of authentication set up so that its use can be restricted for the user base it is intended for. It is understandable that this process is complex and which is why you could implement Two-Factor authentication for this purpose. However there are countless implementations and security controls for this purpose but the best you can do is integrate the implementations that you feel reasonable and such implementations must be tested regularly or on a scheduled basis to constantly check its effectiveness.
Responding to API attacks
The rule to follow whenever an API is expected to fail, let go its access. It is important to note that under no circumstances the services should fail in an accessible or open state in the end. Rate-limiting must be implemented and the error messages must also be kept generic so that it does not let out any more information.
Moreover the communication with stakeholders is equally important. Whenever an API attack is detected resulting in a data breach, the organisations must effectively communicate with the concerned stakeholders such as the customers or employees. In order to keep them informed of the situation, they must be informed of the steps that are required for them to minimise the damage.
Have anything more to add? Share it in comments or contact us.